Atlassian Fixes Critical Hard-Coded Credential BugUnauthenticated Attacker Could Access Unpatched Servers
Atlassian released a patch for a hard-coded credential in its workspace collaboration tool Confluence. The Australian company has found no evidence of exploitation of the flaw, which may allow remote, unauthenticated attackers access to a user company's servers.
The vulnerability in software made by the software development and corporate collaboration tool purveyor is the latest in a string of embarrassments for the company, including the chief technology officer in April apologizing for a dayslong cloud outage.
Atlassian found the vulnerability in Questions for Confluence, a platform for requesting help and sharing knowledge with more than 8,000 active instances.
Once enabled on Atlassian's Confluence server or data center products, the application generated hard-coded credentials, typically with the username
disabledsystemuser. The credential was designed to aid the migration of app data to the Confluence cloud. It also allowed anyone with knowledge of it to view and edit nonrestricted pages of the Confluence app, Atlassian says in a security advisory.
The flaw, tracked as CVE-2022-26138, can allow a remote, unauthenticated attacker who knows the hard-coded password to log onto Confluence and access any pages the
confluence-users group has access to, Atlassian says.
Atlassian says it's not entirely sure which versions of the Confluence app are affected and says the best way to determine if an instance is affected is to check for an active
If such an account does show up, companies can check to see if it has been abused by viewing the last logon instance from the list of users. "If the last authentication time for
null, that means the account exists but no one has ever logged into it," Atlassian says.
This latest vulnerability comes just weeks after the company said hackers exploited a zero-day vulnerability affecting all supported versions of Confluence Server and Data Center (see: Unpatched Atlassian Confluence 0-Day Exploited in the Wild).
The bug gave attackers unauthenticated remote code execution privileges. The company issued a patch within a day (see: Atlassian Issues Patch for Critical Confluence Zero-Day).
Security researcher Kevin Beaumont tweeted that users of Confluence should ramp up security by putting it behind a VPN or a reverse proxy. "It's simply too historically vulnerable to leave online. You're a sitting duck," said Beaumont, a former Microsoft threat analyst.